How to avoid Meltdown, Spectre and CSRF Attacks on Web with CORP, CORB, and CORS?
A brief and useful content about the mechanics on Cross-Origin Read Blocking, Cross-Origin Resource Policy and Cross-Origin Resource Sharing against Meltdown, Spectre and CSRF Attacks.
CORB
By design, Cross-Origin Read Blocking validates browser requests before they even reach the server using their MIME type as a validation rule.
To enable it, send the HTTP header X-Content-Type-Options: nosniff
from the server.
CORP
Cross-Origin Resource Policy is a complementary CORB mechanism for validation applied to requests flagged with no-cors
to invalidate them if they came from different domains or origin.
Send the header Cross-Origin-Resource-Policy
from the server with values same-origin
or same-site
to invalidate no-cors
requests from different domains or origin.
CORS
Cross-Origin Resource Sharing is a logical context mechanism that ensures minimal security in the way that users consume web content using browsers instructing how the browser will validate the origin of the requests.
To define rules about how the origin of the request will be identified, send the HTTP header Access-Control-Allow-Origin
using values like <exact_request_origin>
and even a more generic approaches using *
.
Conclusion
Hope that now you understand a bit better why to use these features.
Try don't disable or ignore them in your web applications. Meltdown, Spectre and CSFR attacks are really dangerous.